Walk me through your core tooling for static versus dynamic malware analysis and when you use each.
Short answer
Static tooling reads the sample at rest: PEStudio, CFF Explorer and pefile for headers and imports, FLOSS and strings for embedded text, capa for capability mapping, and Ghidra or IDA for disassembly. Dynamic tooling watches it run inside an isolated VM: Procmon and Process Hacker for host activity, Wireshark and INetSim or FakeNet for faked network, Regshot for before/after diffs, and x64dbg for controlled stepping. The workflow is triage statically, detonate dynamically, then return to the disassembler to fill behavioral gaps.
Interviewers ask this to see whether you have actually sat in front of samples or only read about analysis. Naming tools is easy; explaining why each earns its place in the workflow is what separates a practitioner from a memorizer.
Static tooling — reading the sample at rest
The first pass never runs the file. You start with hashes (to query VirusTotal and internal threat intel), then a PE viewer — PEStudio, CFF Explorer, or the pefile Python library — to read headers, section names and entropy, the import address table, and embedded resources. FLOSS extends plain strings by decoding stack and obfuscated strings that static strings misses. capa maps code constructs to behaviors ("creates a service", "encrypts data with RC4") by matching rules against disassembly, giving you a capability summary before you read a single instruction. For deep logic you open Ghidra (free, scriptable) or IDA Pro to disassemble and decompile.
Dynamic tooling — watching it execute
Inside an isolated VM with snapshots, you instrument the host and the network. Procmon captures file, registry and process events; Process Hacker or Process Explorer show spawned processes, injected threads and handles; Regshot diffs the registry before and after detonation. For network you point the sample at a faked internet — INetSim or FakeNet-NG — and capture with Wireshark so the malware "talks" to its C2 without reaching real infrastructure. When behavior is gated or you need to see decryption happen, you attach x64dbg and step through.
The workflow
Triage statically, detonate dynamically, then return to the disassembler with the runtime observations as a map. A strong candidate stresses that the tools are complementary, not competing.
Likely follow-ups
- What does capa add beyond a plain import-table review?
- Why fake the network with INetSim instead of letting the sample reach the real internet?
- When would you drop into x64dbg instead of a static disassembler?